Here’s a quick heads‑up that saves a *ton* of pain when sorting package versions on RHEL/Fedora/SUSE‑style systems: **never compare RPM versions as plain strings.** RPM compares **EVR** — `Epoch:Version-Release` — left‑to‑right, and if epochs differ, it stops right there. Missing epoch is treated as `0`. Backports (e.g., old Version with higher Release) and vendor epochs will break naive compares. Use an **rpmvercmp‑equivalent** and persist versions as a 3‑tuple `(epoch, version, release)`. ([RPM][1])

**Why this matters**

* `1:1.0-1` **>** `0:2.0-100` because `1` (epoch) beats everything after. ([RPM][1])
* Fedora/Red Hat guidelines explicitly say EVR ordering governs upgrade paths; epochs are the most significant input and shouldn’t be removed once added. ([Fedora Docs][2])

**Correct approach (any language)**

* Parse to **NEVRA** (Name, Epoch, Version, Release, Arch), then compare by **EVR** using rpm’s algorithm; don’t roll your own string logic. ([Docs.rs][3])
* If you can’t link against librpm, use a well‑known **rpmvercmp** implementation for your stack. Python and PHP have ready helpers. ([PyPI][4])

**Drop‑in options**

* **Python**: `rpm-vercmp` (pure Python) for EVR compares. Store `epoch` as int (default `0`), `version`/`release` as strings, and call the comparator. ([PyPI][4])
* **.NET/C#**: no official rpmvercmp, but mirror the spec: split EVR, compare epochs numerically; for `version`/`release`, compare segment‑by‑segment using rpm rules (alphanumeric runs; numeric segments compare as integers; tildes sort before anything, etc.). (Spec summary in rpm‑version(7).) ([RPM][1])
* **Rust/Go**: model NEVRA (existing crates/docs show structure) and wire a comparator consistent with rpmvercmp. ([Docs.rs][3])

**Practical tips for your pipelines**

* **Persist EVR**, not strings like `“1.2.3-4.el9”`. Keep `epoch` explicitly; don’t drop `0`. ([Fedora Docs][2])
* **Normalize inputs** (e.g., from `rpm -q` vs `repoquery`) so missing epochs don’t cause mismatches. ([CPAN][5])
* **Backport‑aware sorting**: rely on EVR, *not* semver. Semver comparisons will misorder distro backports. (Fedora docs highlight EVR as authoritative.) ([Red Hat Docs][6])

If you want, I can sketch a tiny C# `RpmEvrComparer` tailored to your .NET 10 repos and wire it into your SBOM/VEX flows so Feedser/Vexer sort updates correctly.

[1]: https://rpm.org/docs/6.0.x/man/rpm-version.7?utm_source=chatgpt.com "rpm-version(7)"
[2]: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/?utm_source=chatgpt.com "Versioning Guidelines - Fedora Docs"
[3]: https://docs.rs/rpm/latest/rpm/struct.Nevra.html?utm_source=chatgpt.com "Nevra in rpm - Rust"
[4]: https://pypi.org/project/rpm-vercmp/?utm_source=chatgpt.com "rpm-vercmp"
[5]: https://www.cpan.org/modules/by-module/RPM/RPM-NEVRA-v0.0.5.readme?utm_source=chatgpt.com "RPM-NEVRA-v0.0.5.readme"
[6]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/packaging_and_distributing_software/packaging-software?utm_source=chatgpt.com "Chapter 6. Packaging software"